Financial Services Compliance

What the SEC’s Proposed Vendor Due Diligence Rule Means for RIAs

by Smarsh

Subscribe to the Smarsh Blog Digest

Subscribe to receive a monthly digest of articles exploring regulatory updates, news, trends and best practices in electronic communications capture and archiving.

Smarsh handles information you submit to Smarsh in accordance with its Privacy Policy. By clicking "submit", you consent to Smarsh processing your information and storing it in accordance with the Privacy Policy and agree to receive communications from Smarsh and its third-party partners regarding products and services that may be of interest to you. You may withdraw your consent at any time by emailing privacy@smarsh.com.

In line with an ongoing trend to establish cybersecurity protocols for registered investment advisers (RIAs), the Securities and Exchange Commission (SEC) voted on a proposal to address vendor due diligence and security.

As the financial services industry adapts to changing market conditions and an increasingly digital business landscape, the need to incorporate new tools and services to meet demand efficiently has also grown. The proposed rule expands the definition of a vendor, focusing not only on software and cloud solutions, but also on service providers such as consultants, law firms, and accounting firms.

Under the Investment Advisers Act of 1940, the proposed SEC vendor due diligence rule prohibits RIAs from outsourcing certain services or functions without first meeting minimum due diligence requirements.

"When an investment adviser outsources work to third parties, it may lower the adviser’s costs, but it does not change an adviser’s core obligations to its clients. Thus, today’s proposal specifies requirements for investment advisers designed to ensure that advisers’ outsourcing is consistent with their obligations to clients."

-- Gary Gensler, SEC Chair

Key elements of the proposal

SEC Chairman Gary Gensler said the organization had “observed an increase in advisers outsourcing and issues related to the outsourcing and advisers’ oversight.”

The proposed SEC outsourcing rule and amendments would apply the following requirements:

  • Reasonably identify and determine thorough due diligence before outsourcing a covered function to a service provider
  • Periodically monitor performance and reassess whether due diligence requirements are being met, to determine whether the relationship should continue

The proposal also includes amending the RIA registration form, Form ADV to provide more specific information about service providers and their functions, allowing for greater transparency and oversight.

Proposed vendor requirements

The proposed rule imposes further RIA due diligence and monitoring provisions on third-party vendors that provide recordkeeping functions.

Conducting due diligence will be mandatory to assure that vendors meet four standards:

  • Adopt and implement internal procedures for producing and retaining records maintained on behalf of the adviser to comply with the recordkeeping rule
  • Produce and/or retain records that comply with recordkeeping rule requirements applicable to the adviser
  • Allow access to digital records
  • Ensure accessibility to digital records even after the vendor’s contract terminates or if the vendor goes out of business

Addressing SEC third-party due diligence requirements with potential vendors and reassessing existing service provider relationships enable necessary policy adjustments, agreements, and risk management.

VRM WB Email 910x200

How financial firms can prepare

So, what does this mean for RIAs and firms? Working with vendors is a critical part of doing business — but they must be trusted to access, handle and transmit highly sensitive information.

A vendor risk management solution simplifies the vendor risk assessment process by automating the most resource-intensive parts of third-party risk evaluation and management, including:

  • Flexibility to create any relevant assessment questionnaire
  • Automating the time-consuming process of grading vendor assessments and adjusting contract clauses to match
  • Maintain auditable tracking of remediation plans and validation documentation
  • Real-time reporting for cross-functional visibility
  • Customization of assessments and rules to meet each firm’s unique needs
  • Ongoing monitoring and remediation

As the vendor ecosystem expands and security threats evolve, firms should be proactive in their due diligence process. Performing annual reassessments, armed with a modern vendor risk management solution will help RIAs stay secure and compliant.

Share this post!

Smarsh
Smarsh Blog

Our internal subject matter experts and our network of external industry experts are featured with insights into the technology and industry trends that affect your electronic communications compliance initiatives. Sign up to benefit from their deep understanding, tips and best practices regarding how your company can manage compliance risk while unlocking the business value of your communications data.

Ready to enable compliant productivity?

Join the 6,500+ customers using Smarsh to drive their business forward.

Get a Quote

Tell us about yourself, and we’ll be in touch right away.

Smarsh handles information you submit to Smarsh in accordance with its Privacy Policy. By clicking "submit", you consent to Smarsh processing your information and storing it in accordance with the Privacy Policy and agree to receive communications from Smarsh and its third-party partners regarding products and services that may be of interest to you. You may withdraw your consent at any time by emailing privacy@smarsh.com.

Contact Us

Tell us about yourself, and we’ll be in touch right away.